Release Notes

Shibboleth Native SP
2.0
3/17/2008

NOTE: The shibboleth2.xml configuration format in this release
is compatible with the RC1 release. Upgrading from earlier
releases is NOT supported without replacing the configuration
file and reapplying changes.

Fully Supported

- SAML 1.0, 1.1, 2.0 Single Sign-On
	- Shibboleth 1.x request profile
	- 1.x POST/Artifact profiles
	- 2.0 HTTP-Redirect/POST/POST-SimpleSign/Artifact/PAOS bindings

- SAML 1.0, 1.1, 2.0 Attribute Query via Attribute Resolver plugin
	- SAML SOAP binding

- SAML 2.0 Single Logout
    - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
    - Front and back-channel application notification of logout
    - Race detection of late arriving assertions

- SAML 2.0 NameID Management (IdP-initiated only)
    - HTTP-Redirect/POST/POST-SimpleSign/Artifact bindings
    - Front and back-channel application notification of changes

- ADFS WS-Federation Support
    - SSO and SLO
    - experimental support for SAML 2.0 assertions

- Shibboleth WAYF and SAML DS protocols for IdP Discovery

- Metadata Providers
	- Bulk resolution via local file, or URL with local file backup
	- Dynamic resolution and caching based on entityID 
	- Filtering based on whitelist, blacklist, or signature verification  

- Metadata Generation Handler
    - Generates and optionally signs SAML metadata based on SP configuration

- Status Handler
    - Reports on status and configuration of SP
    
- Session Handler
    - Dumps information about an active session 

- Trust Engines
	- Explicit key and PKIX engines via metadata, superset compatible with 1.3
	- PKIX trust engine with static root list
	
- Configurable per-endpoint Security Policy rules
	- Replay and freshness detection
	- XML signing
	- Simple "blob" signing
	- TLS X.509 certificate authentication

- Client transport authentication to SOAP endpoints via libcurl
	- TLS X.509 client certificates
	- Basic-Auth
	- Digest-Auth (untested)
	- NTLM (untested)

- Encryption
	- All incoming SAML 2 encrypted element types (Assertion, NameID, Attribute)
	- Optional outgoing encryption of NameID in requests and responses

- Attributes
	- Decoding and exporting SAML 1 and 2 attributes
		- Strings
		- Value/scope pairs (legacy and value@scope syntaxes supported)
		- NameIDs

- Attribute Filtering
	- Policy language compatible with IdP filtering, except that references
		only work within policy files, not across them
	- Rules based on, attribute issuer, requester, scope, and value, authentication
		method, based on exact string and regular expressions.
    - Boolean functions supporting AND, OR, and NOT for use in composing rules
    - Wildcard rules allowing all unspecified attributes through with no filtering

- Assertion Export
	- Oversized header replaced with Shib-Assertion-Count and Shib-Assertion-NN headers
		containing local URL to fetch SAML assertion using HTTP GET

- Enhanced Spoofing Detection
	- Detects and blocks client headers that would match known attribute headers
	- Does not support Apache mod_rewrite, but can be disabled when necessary

- ODBC Clustering Support
	- Tested against a few different servers with various drivers

- RequestMap enhancements
    - Regular expression matching for hosts and paths
    - Query string parameter matching

- Error handling enhancements
    - Reporting of SAML status errors
    - Optional redirection to custom error handler

- Apache module enhancements
    - "OR" coexistence with other authorization modules
    - htaccess-based override of any valid RequestMap property 

- Command line tools
    - samlsign for manual XML signing and verification
    - mdquery for interrogating via metadata configuration
    - resolvertest for exercising attribute extraction, filtering, and resolution

- Migrating 1.3 core configuration file
    - Stylesheet can handle some common options
